You are using a configuration management system to manage your Amazon EC2 instances. On your Amazon EC2
Instances, you want to store credentials for connecting to an Amazon RDS DB instance. How should you securely store
these credentials?
A.
Give the Amazon EC2 instances an IAM role that allows read access to a private Amazon S3 bucket.
Store a file with database credentials in the Amazon S3 bucket.
Have your configuration management system pull the file from the bucket when it is needed.
B.
Launch an Amazon EC2 instance and use the configuration management system to bootstrap the instance with the Amazon RDS DB
credentials.
Create an AMI from this instance.
C.
Store the Amazon RDS DB credentials in Amazon EC2 user data.
Import the credentials into the Instance on boot.
D.
Assign an IAM role to your Amazon RDS instance, and use this IAM role to access the Amazon RDS DB from your Amazon EC2
instances.
E.
Store your credentials in your version control system, in plaintext.
Check out a copy of your credentials from the version control system on boot.
Use Amazon EBS encryption on the volume storing the Amazon RDS DB credentials.
I think it should be option ‘A’
The answer is “A”.
https://aws.amazon.com/blogs/security/how-to-manage-secrets-for-amazon-ec2-container-service-based-applications-by-using-amazon-s3-and-docker/
no way, there are no “private” s3 buckets. s3 is public!
Dude! seriously?
http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html
Get your basics right.
D right
D is wrong, you cannot assign IAM Role for RDS instance.
B and C wrong because not secure.
A and E, both are OK but A use IAM role for EC2 instance, pull from S3 so it seems the best with AWS.
I choose A
Another note, E said “in plaintext” => not secure
D is correct.
AWS has its own authentication/authorization architect that is different from that working in AD/LDAP environment.
…authentication/authorization architecture…
D
We can utilize IAM Roles to allow such privileges securely.
A
A
Best practice as recommended by Amazon.
https://aws.amazon.com/blogs/security/using-iam-roles-to-distribute-non-aws-credentials-to-your-ec2-instances/
I prefer A.
my friend chooses D and his argument is this,
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Availability
it seems a IAM role can be assigned to ec2 instance and then ec2 instance can connect to rds but there’s limitation for number of connections, and this questions maybe it asks for a most secure way. So i prefer A.
and the questions is “you want to store credentials for connecting to an Amazon RDS DB instance”, A is credentials managed by user, d is credentials through role and managed by aws.
Vote A.
D guys, please tell me how to “use this IAM role to access the Amazon RDS DB from your Amazon EC2”.
Role is used for AWS service API call.
RDS is only accessed by database port (3306, 1521, etc).
A
D is wrong. Assign an IAM role to your “Amazon RDS instance” ?
I think you should assign an IAM role to your “Amazon EC2 instances”
Correct answer is A.